Phone Factor Authentication

ABSTRACT

Systems and techniques are described for authenticating a user. A described technique includes receiving, by an identity management application running on a user computer, a request to authenticate a user to access a user application using the user computer. The technique includes determining, by the identity management application, that a mobile device associated with the user is connected to the user computer using a short distance wireless connection. The technique includes requesting, by the identity management application running on the user computer, authentication information for the user from the mobile device over the short distance wireless connection. The technique includes receiving, by the identity management application running on the user computer, the authentication information for the user from the mobile device over the short distance wireless connection. In response to receiving the authentication information, the technique includes authenticating the user to access the user application using the user computer.

BACKGROUND

This document relates to authentication on behalf of a user by theuser's mobile device.

Identity management is the task of controlling information about userson computers, including information that authenticates the identity of auser and information that describes data and actions they are authorizedto access and/or perform.

SUMMARY

In general, one aspect of the subject matter described in this documentcan be embodied in a technique that includes receiving, by an identitymanagement application running on a user computer, a request toauthenticate a user to access a user application using the usercomputer, determining, by the identity management application running onthe user computer, that a mobile device associated with the user isconnected to the user computer using a short distance wirelessconnection, requesting, by the identity management application runningon the user computer, authentication information for the user from themobile device over the short distance wireless connection, receiving, bythe identity management application running on the user computer, theauthentication information for the user from the mobile device over theshort distance wireless connection, and in response to receiving theauthentication information, authenticating the user to access the userapplication using the user computer.

These and other aspects can optionally include one or more of thefollowing features. Aspects can include determining, by the identitymanagement application running on the user computer, that the mobiledevice is no longer connected to the user computer using the shortdistance wireless connection, and in response, revoking theauthentication for the user to access the user application using theuser computer. In some implementations, the short distance wirelessconnection can only be established between devices within apredetermined distance of each other.

In some implementations, the determining, the requesting, the receiving,and the authenticating occur automatically in response to receiving therequest to authenticate the user to access the user application usingthe user computer. In some implementations, the authenticationinformation can only be used to authenticate the user once.

Aspects can include receiving, by the mobile device, the request forauthentication information from the user device over the short distancewireless connection, and in response to the request: providingcredentials for the user to an identity management system, receiving theauthentication information from the identity management system inresponse to providing the credentials, and providing the authenticationinformation to the user device over the short distance wirelessconnection. Aspects can further include receiving, by the identitymanagement system, a request to authenticate the user, determining, bythe identity management system, that mobile authentication is availablefor the request to authenticate the user, and providing a challenge tothe user device for credentials from the mobile device.

Aspects can additionally include providing the authenticationinformation to the identity management system in response to thechallenge or causing the authentication information to be provided tothe identity management system in response to the challenge. Aspects canfurther include receiving, by the identity management system, thecredentials from the mobile device, generating, by the identitymanagement system, the authentication information, and transmitting, bythe identity management system, the authentication information to themobile device.

Particular embodiments of the subject matter described in this documentcan be implemented so as to realize one or more of the followingadvantages. A user can experience a seamless authentication to a userapplication without providing further input to an authentication portalor system. The latency between attempting to access a user applicationfrom a remote computer and being granted access to the user applicationis reduced. The performance of an identity management system can beimproved by reducing the need for parsing input from human users.

The details of one or more embodiments of the subject matter describedin this document are set forth in the accompanying drawings and thedescription below. Other features, aspects, and advantages of thesubject matter will become apparent from the description, the drawings,and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that shows an example system forauthentication on behalf of a user by the user's mobile device.

FIG. 2 is a diagram of an example process of registering a user's mobiledevice with an identity management system for use as an authenticationclient.

FIG. 3 is a diagram of an example process of authentication on behalf ofa user by the user's mobile device.

FIG. 4 is a flow chart of an example technique for user authentication.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

This document generally describes techniques for authentication of auser on the user's behalf by the user's mobile device.

An identity management system may allow a user to access remotely-storeddata or remotely-executing applications using a user device through theuser's mobile device. For example, a doctor in a hospital can beauthenticated and access a medical application on a computer in apatient's room through his or her smartphone.

In some examples, a setup process is needed before a user can use amobile device for authentication. For example, an identity managementapplication maybe be installed on a user's mobile device, such as asmartphone, laptop, tablet, etc. In some examples, an administrator mayautomatically install the application for users under their purview. Forexample, an IT administrator for a corporation may install the identitymanagement application for their Mobile Device Management (MDM) users.

The process may include registering the user's mobile device as anauthorization client with the identity management system. For example,the user may register their smartphone as an authorization client withthe identity management system. In some examples, the registration ofthe user's mobile device is automated. For example, an IT administratorcould automatically register their organization's MDM users' mobiledevices as authorization clients with the identity management system.

The process may include the user enabling their mobile device and theuser device to communicate. In some examples, this communication is overa short distance wireless connection. For example, the communication maybe through Bluetooth, radio frequency identification (RFID) and subsetsof RFID such as near field communication (NFC), etc. Restrictingcommunication over a short distance wireless connection providesincreased security by confirming that the user's mobile device, andtherefore the user, is physically proximate to the user device.

The process may include an administrator configuring the identitymanagement system policy to allow authentication of users through mobiledevices. For example, an IT administrator of a corporation may configurethe identity management system policy of their corporation to allowusers to be authenticated through their smartphones. In some examples,the administrator may configure the policy to allow certain users orusers having certain attributes to be authenticated through mobiledevices. For example, an IT administrator at a hospital may configurethe policy to only allow doctors and nurses to be authenticated throughmobile devices, or only allow staff of a certain department to beauthenticated through mobile devices.

FIG. 1 shows an example environment 100 in which an identity managementsystem 140 manages authentication of users. The identity managementsystem 140 is an example of a system implemented as computer programs onone or more computers in one or more locations, in which the systems,components, and techniques described below can be implemented.

The identity management system 140 manages authentication for users,such as a user 102, attempting to access resources provided by anothersystem, e.g., a system 126. For example, the identity management system140 can authenticate the user 102 to allow the user 102 to access todata, applications, desktop environments being remoted in a VirtualizedDesktop Infrastructure (VDI) environment, and so on that are managed bythe system 126. In some implementations, when a request is received bythe system 126 that requires user authentication, the system 126 canredirect the request to the identify management system 140. In someother implementations, the computer through which the request is beingsubmitted to the system 126 can determine that authentication isrequired, and transmit a request for authentication to the identitymanagement system 140.

The system 126 is a system that the user 102 can access after beingauthenticated by the identity management system 140. The system 126 isaccessible through a user computer, such as the user device 120. In someexamples, the system 126 provides applications or virtual desktops toremote users. For example, the system 126 can manage a medicalapplication used by a doctor in a hospital to access patient records fora specific patient. The system 126 can be accessed by the doctor througha computer in the specific patient's room. In another example, thesystem 126 can manage a virtual desktop used by a particular employee ofa corporation. The system 126 can be accessed by the particular employeethrough any computer in the corporation's building.

The user device 120 can be a computer, e.g., a laptop computer or atablet computer, or other appropriate electronic device through whichthe user 102 can access data, applications, or any other resource orservice provided by the system for which the identity management system140 provides authentication services. The user device 120 includes anidentity management application 122 and a browser 124.

In some examples, the user device 120 is used by multiple differentusers at different times to access the system 126, with each userneeding to authenticate themselves using their own authentication data.For example, the user device 120 can be a computer in a hospital thatcan be accessed by doctors, nurses, and patients, each of which havetheir own authentication data and access privileges.

The browser 124 can be a web browser or other application forretrieving, presenting, and interacting with information resources, ordata, through a network such as the Internet. In some examples, thebrowser 124 can be used to access information provided by servers inprivate networks or files in distributed file systems. In some examples,information resources are identified by a Uniform Resource Identifier(URI or URL) and can be a web page, image, video, or other content.

The identity management system 140 generally supports multipleauthentication mechanisms. For example, the identity management system140 can support mechanisms such as a username/password combination,two-factor authentication, etc. The identity management system 140 canalso support authentication through the use of a mobile device, such asa mobile device 110. For example, the identity management system 140 canauthenticate the user 102 through an identity management application 112running on the mobile device 110 that communicates with an identitymanagement application 122 of the user device 120 over a short rangewireless connection 125.

The short range wireless connection 125 can be a connection that canonly be established between two devices when the devices are relativelyproximate to one another. For example, the short range wirelessconnection 125 can be a connection that can only be established betweenthe mobile device 110 and the user device 120 when the devices arewithin a predetermined number of feet of each other, such as two feet,five feet, ten feet, etc. In some examples, the short range wirelessconnection 125 can be a peer-to-peer connection. In some examples, theshort range wireless connection 125 can form simple networks betweenmultiple devices. The short range wireless connection 125 can be donethrough any of a number of communication methods and/or protocols. Forexample, the communication may be through Bluetooth, NFC, etc. Bylimiting communication ranges to short distances, an additional securitymeasure of ensuring that the mobile device 110 of the user 102, and thusthe user 102, is within a specified physical proximity of the userdevice 120 to from which the user 102 is requesting access.

The identity management system 140 communicates with the mobile device110 and/or the user device 120 through a network 130, e.g., a local areanetwork (LAN), wide area network (WAN), e.g., the Internet, a cellulardata network, or a combination thereof.

The mobile device 110 can be a portable computer, e.g., a smartphone, alaptop computer, a tablet computer, or other appropriate mobileelectronic device such that a user 102 can transport the mobile device110 to various locations. The mobile device 110 includes an identitymanagement application 112. The identity management application 112 cancommunicate with other identity management applications installed onother computing devices and with the identity management system 140.

For example, the identity management system 140 can receive a requestfor authentication data from the user device 120 or from the system 126to authenticate the user 102 to access the system 126 using the userdevice 120 and then communicate with the mobile device 110 toauthenticate the user 102.

The mobile device 110 can receive a request from the user device 120 forauthentication data for the user 102 over the short range wirelessconnection 125 and transmit credential data 116 to the identitymanagement system 140 over the network 130. In response, the identitymanagement system 140 provides the authentication data 114 through thenetwork 130 to the mobile device 110.

For example, the mobile device 110 may transmit credential data 116 tothe identity management system 140 that authenticates the user 102 touse the system 126. The credential data 116 can be fingerprint data, avoice recording, an iris scan, etc., and confirms the identity of theuser 102 using the mobile device 110. In some examples, the credentialdata 116 is a token that provides a user with a secure delegated accessto server resources on behalf of a resource owner. For example, thecredential data 116 can be an OAuth 2.0 token. In some examples, thecredential data 116 is stored in a memory of the mobile device 110 orgenerated automatically by the mobile device 110 in response to arequest from the user device 120. In some other examples, the data 116is input to the mobile device 110 by the user 102. For example, theidentity management system 140 may request the credential data 116 fromthe user 102 through the network 130, and the user 102 can respond tothe request by inputting, granting access to, or generating thecredential data 116.

The identity management system 140 can respond to the credential data116 by providing the authentication data 114 to the mobile device 110through the network 130. The authentication data 114 can be a securitytoken, and can store data such as cryptographic keys, a digitalsignature, etc. For example, the data 114 can be a generated One TimePassword (OTP) token that is valid for only one login session ortransaction on a computer system or other electronic device.

The identity management system 140 can communicate with the browser 124on the user device 120 through the network 130. For example, theidentity management system 140 can receive requests for data from thebrowser 124. In some examples, the identity management system 140communicates with the user device 120 using Hypertext Transfer Protocol(HTTP).

The user 102 can access to an authentication portal 142 through thenetwork 130 that is launched by the identity management system 140.

The identity management system 140 maintains an identity managementpolicy 144. In some examples, the identity management system 140determines a method of authentication available for the user 102. Forexample, in response to receiving a request to authenticate the user102, the identity management system 140 may access the identitymanagement policy 144 and determine that mobile authentication isavailable to the user 102. The identity management system 140 maydetermine an appropriate action to take based on the method ofauthentication selected for the user 102. For example, the identitymanagement system 140 may transmit HTML data to the user device 120 witha challenge for authentication data from the mobile device 110.

The identity management policy 144 defines standards of configurationfor the server 140. For example, the policy 144 can include settings foracceptable methods of authentication for particular users, devices, etc.In some examples, the policy 144 defines acceptable values ofauthentication data. For example, the policy 144 may include data, suchas matching passwords, biometrics, etc., that will be found acceptableas authentication for a user if transmitted by the mobile device 110.

The identity management system 140 includes an authentication datagenerator 146. The authentication data generator 146 can generateauthentication data, such as the authentication data 114. In someexamples, the authentication data generator 146 generates theauthentication data 114 in response to receiving the credential data 116from the mobile device 110 and determining that the credential data 116is valid. For example, the authentication data generator 146 cangenerate the authentication data 114, in this example, a security token,to transmit to the mobile device 110 upon receiving the credential data116 from the mobile device 110.

Upon receiving the authentication data 114, the mobile device 110transmits the authentication data 114 to the user device 120 over theshort range wireless connection 125. For example, the mobile device 110can transmit the security token received from the identity managementsystem 140 to the user device 120 over NFC.

Once the user device 120 receives the authentication data 114, the userdevice 120 can transmit the authentication data 114 to the identitymanagement system 140 to authenticate the user 102. The user 102 canthen access the system 126. For example, the user device 120 cantransmit the security token received from the mobile device 110 over NFCto the identity management system 140 over the network 130.

The identity management system 140 can determine that the user 102 isauthenticated based on receiving the authentication data 114 that ittransmitted to the mobile device 110 from the user device 120, becausethe authentication data 114 is transmitted to the user device 120 overthe short range wireless connection 125. The short range wirelessconnection 125 cannot be established unless the mobile device 110 andthe user device 120 are relatively proximate to each other, and themobile device 110 provides the credential data 114 to the identitymanagement system 140 to authenticate the user 102.

Upon receiving the authentication data 114 from the user device 120, theidentity management system 140 can grant access to the system 126through the user device 120. For example, once the identity managementsystem 140 receives the security token it transmitted to the mobiledevice 110 from the user device 120, the identity management system 140can grant the user 102, a doctor, access to a medical application thatallows him to check on patient records through the user device 120.

FIG. 2 shows a diagram 200 of an example process in which the mobiledevice 110 is enrolled for use with the identity management system 140.At step 202, the user 102 or an IT administrator installs the identitymanagement application 112 on the mobile device 110. At step 204, theuser 102 or the IT administrator installs the identity managementapplication 122 on the user device 120. Once installed, the identitymanagement application 122 can communicate with the identity managementapplication 112 and the identity management system 140.

At step 206, the short range wireless connection 125 is establishedbetween the mobile device 110 and the user device 120. In some examples,the user 102 enables both the mobile device 110 and the device 120 tocommunicate through the short range wireless connection 125. Forexample, the user may enable Bluetooth on both the mobile device 110 andon the user device 120 and pair the mobile device 110 and the userdevice 120 to allow the two devices to communicate over the short rangewireless connection 125.

At step 208, the user 102 registers the mobile device 110 with theidentity management system 140. The user 102 registers the mobile device110 as an authorization client with the identity management system 140.In some examples, an IT administrator can automate the registration ofthe mobile device 110. Once the mobile device 110 is registered, anidentity management policy can be configured to allow the use of mobiledevices for authentication by the identity management system 140. Forexample, the mobile device 110 can be a smartphone that allows the user102 to be authenticated by the identity management system 140 to accessthe system 126 through the user device 120, which can be a desktopcomputer or a laptop computer, for example.

FIG. 3 shows a diagram 300 of an example process of authentication onbehalf of a user by the user's mobile device 110.

At step 302, the user 102 attempts to access the system 126 through theuser device 120. In some examples, the user 102 tries to access thesystem 126 through the browser 124 on the user device 120, or throughthe authentication portal 142. The attempt to access the system 126results in a request to the identity management system 140 forauthentication of the user 102. In some examples, the identitymanagement system 140 determines that the user 102 needs to beauthenticated based on the request for access to the system 126.

At step 304, the browser 124 submits a request for authentication of theuser 102 to the identity management system 140. For example, the browser124 can submit an HTTP request to the identity management system 140.The HTTP request can include a request to access the system 126. In someexamples, the HTTP request can be sent automatically by the browser 124without further action from the user 102.

At step 306, the identity management system 140 accesses an identitymanagement policy, such as the identity management policy 144, todetermine whether authentication through a mobile device is permitted.Permissions for mobile authentication can be dependent on many factors.For example, permissions for mobile authentication can be user specific,device specific, system specific, and so on.

At step 308, the identity management system 140 transmits a challengefor authentication data from the mobile device 110 to the browser 124 onthe user device 120. In some examples, the challenge is an HTMLchallenge for a security token, such as an OTP token. The identitymanagement system 140 can transmit the challenge upon determining thatmobile authentication is permitted for the access request.

At step 310, the browser 124 on the device 120 launches the identitymanagement application 122 on the user device 120. The launching of theidentity management application 122 can be automatic upon receiving theHTML challenge from the identity management system 140.

At step 312, the identity management application 122 on the user device120 communicates with the identity management application 112 on themobile device 102 to request authentication data over the short rangewireless connection 125. For example, the identity managementapplication 122 can communicate with the identity management application112 over NFC to request an OTP token. The identity managementapplication 122 can communicate with the identity management application112 automatically and without input from the user 102.

At step 314, the identity management application 112 on the mobiledevice 110 authenticates itself with the identity management system 140by providing the credential data 116 to the identity management system140. For example, the identity management application 112 can providevalid OAuth2 credentials that match the user 102's identity to theidentity management system 140.

At step 316, the identity management system 140 generates authenticationdata 114, such as an OTP token in response to receiving the credentialdata 116 provided by the mobile device 110 over the short range wirelessconnection 125. The identity management system 140 then transmits theauthentication data 114 over the network 130 to the mobile device 110.For example, the identity management system 140 can generate an OTPtoken and transmit the OTP token to the mobile device 110. The identitymanagement system 140 can generate and transmit the authentication data114 automatically and without input from the user.

At step 318, the identity management application 112 on the mobiledevice 110 receives the authentication data 114 and presents theauthentication data 114 to the identity management application 122 onthe user device 120 over the short range wireless connection 125. Theidentity management application 112 can present the authentication data114 to the identity management application 122 automatically and withoutinput from the user 102.

At step 320, the identity management application 122 on the user device120 presents the authentication data 114 received from the identitymanagement application 112 to the browser 124 on the user device 120.For example, the identity management application 122 can receive the OTPtoken generated by the identity management system 140 and transmitted tothe mobile device 110 and provide the OTP token to the browser 124 onthe user device 120.

At step 322, the browser 124 transmits the authentication data 114 tothe identity management system 140. The authentication data 114 isprovided to the identity management system 140 as a response to thechallenge presented by the identity management system 140 in step 308.The browser 124 can provide the authentication data 114 to the identitymanagement system 140 automatically and without user input. In somealternative implementations, the identity management 122 transmits theauthentication data 114 to the identity management system 140 directly,i.e., without presenting the data 114 to the browser 124 fortransmission to the identity management system 140.

At step 324, the identity management system 140 authenticates the user102 using the authentication data 114 and allows the user 102 access tothe system 126. For example, the identity management system 140 candetermine, based on receiving the authentication data 114 generated bythe identity management system 140 and transmitted to the mobile device110, that the user 102 is to be authenticated and provide the user 102with access to the system 126 through the user device 120. The access tothe system 126 is provided through the user device 120, and is dependenton the short range wireless connection 125 existing between the mobiledevice 110 and the user device 120. If the mobile device 110, and thusthe user 102, moves to be physically outside of a proximity to the userdevice 120 and the short range wireless connection 125 is terminated asa result, the user 102's access to the system 126 will be terminated aswell. The access to the system 126 can depend on a variety of factors,such as the amount of time the user 102 has been actively using thesystem 126, the amount of activity on the mobile device 110, and so on.

FIG. 4 shows an example technique 400 for authentication on behalf of auser by the user's mobile device.

At block 402, an identity management application running on the usercomputer receives a request to authenticate a user to access a userapplication using the user computer. For example, the user can attemptto access a patient's records through the system on the user device inthe patient's room and trigger a request being transmitted to theidentity management system, which results in a request forauthentication being provided to the identity management application.

At block 404, the identity management application on the user computerdetermines that a mobile device associated with the user is connected tothe user computer 10 using a short distance wireless connection. Forexample, the mobile device can be in the user's pocket, and thus withinrange to establish a short range wireless connection, such as aBluetooth, NFC, etc. connection.

At block 406, the identity management application submits a request tothe mobile device for authentication information or the user over theshort distance wireless connection. The authentication information canbe any appropriate form of credentials that will authenticate the user.In some examples, the requesting of the authentication information fromthe mobile device triggers an automatic process that causes the mobiledevice to request authentication information from the identitymanagement system by providing credentials for the user to the identitymanagement system.

At block 408, the identity management application receives theauthentication data for the user from the mobile device over the shortdistance wireless connection 125. In some examples, the identitymanagement system generates an OTP token and transmits the OTP token tothe mobile device, which then presents the token to the to the usercomputer as.

At block 410, the identity management application authenticates the userto access the system through the user computer in response to receivingthe authentication data. For example, the identity managementapplication can transmit the authentication data to the identitymanagement system or cause the data be transmitted to the identitymanagement system by another process on the user computer, resulting inthe authentication of the user by the identity management system.

Embodiments of the subject matter and the operations described in thisdocument can be implemented in digital electronic circuitry, or incomputer software, firmware, or hardware, including the structuresdisclosed in this document and their structural equivalents, or incombinations of one or more of them. Embodiments of the subject matterdescribed in this document can be implemented as one or more computerprograms, i.e., one or more modules of computer program instructions,encoded on computer storage medium for execution by, or to control theoperation of, data processing apparatus. Alternatively or in addition,the program instructions can be encoded on an artificially-generatedpropagated signal, e.g., a machine-generated electrical, optical, orelectromagnetic signal that is generated to encode information fortransmission to suitable receiver apparatus for execution by a dataprocessing apparatus. A computer storage medium can be, or be includedin, a computer-readable storage device, a computer-readable storagesubstrate, a random or serial access memory array or device, or acombination of one or more of them. Moreover, while a computer storagemedium is not a propagated signal, a computer storage medium can be asource or destination of computer program instructions encoded in anartificially-generated propagated signal. The computer storage mediumcan also be, or be included in, one or more separate physical componentsor media (e.g., multiple CDs, disks, or other storage devices).

The operations described in this document can be implemented asoperations performed by a data processing apparatus on data stored onone or more computer-readable storage devices or received from othersources. The term “data processing apparatus” encompasses all kinds ofapparatus, devices, and machines for processing data, including by wayof example a programmable processor, a computer, a system on a chip, ormultiple ones, or combinations, of the foregoing. The apparatus caninclude special purpose logic circuitry, e.g., an FPGA (fieldprogrammable gate array) or an ASIC (application-specific integratedcircuit). The apparatus can also include, in addition to hardware, codethat creates an execution environment for the computer program inquestion, e.g., code that constitutes processor firmware, a protocolstack, a database management system, an operating system, across-platform runtime environment, a virtual machine, or a combinationof one or more of them. The apparatus and execution environment canrealize various different computing model infrastructures, such as webservices, distributed computing and grid computing infrastructures.

A computer program (also known as a program, software, softwareapplication, script, or code) can be written in any form of programminglanguage, including compiled or interpreted languages, declarative orprocedural languages, and it can be deployed in any form, including as astand-alone program or as a module, component, subroutine, object, orother unit suitable for use in a computing environment. A computerprogram may, but need not, correspond to a file in a file system. Aprogram can be stored in a portion of a file that holds other programsor data (e.g., one or more scripts stored in a markup languagedocument), in a single file dedicated to the program in question, or inmultiple coordinated files (e.g., files that store one or more modules,sub-programs, or portions of code). A computer program can be deployedto be executed on one computer or on multiple computers that are locatedat one site or distributed across multiple sites and interconnected by acommunication network.

The processes and logic flows described in this document can beperformed by one or more programmable processors executing one or morecomputer programs to perform actions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application-specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read-only memory ora random access memory or both. The essential elements of a computer area processor for performing actions in accordance with instructions andone or more memory devices for storing instructions and data. Generally,a computer will also include, or be operatively coupled to receive datafrom or transfer data to, or both, one or more mass storage devices forstoring data, e.g., magnetic, magneto-optical disks, or optical disks.However, a computer need not have such devices. Moreover, a computer canbe embedded in another device, e.g., a mobile telephone, a personaldigital assistant (PDA), a mobile audio or video player, a game console,a Global Positioning System (GPS) receiver, or a portable storage device(e.g., a universal serial bus (USB) flash drive), to name just a few.Devices suitable for storing computer program instructions and datainclude all forms of non-volatile memory, media and memory devices,including by way of example semiconductor memory devices, e.g., EPROM,EEPROM, and flash memory devices; magnetic disks, e.g., internal harddisks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROMdisks. The processor and the memory can be supplemented by, orincorporated in, special purpose logic circuitry.

To provide for interaction with a user, embodiments of the subjectmatter described in this document can be implemented on a computerhaving a display device, e.g., a CRT (cathode ray tube) or LCD (liquidcrystal display) monitor, for displaying information to the user and akeyboard and a pointing device, e.g., a mouse or a trackball, by whichthe user can provide input to the computer. Other kinds of devices canbe used to provide for interaction with a user as well; for example,feedback provided to the user can be any form of sensory feedback, e.g.,visual feedback, auditory feedback, or tactile feedback; and input fromthe user can be received in any form, including acoustic, speech, ortactile input. In addition, a computer can interact with a user bysending documents to and receiving documents from a device that is usedby the user; for example, by sending web pages to a web browser on auser's client device in response to requests received from the webbrowser.

Embodiments of the subject matter described in this document can beimplemented in a computing system that includes a back-end component,e.g., as a data server, or that includes a middleware component, e.g.,an application server, or that includes a front-end component, e.g., aclient computer having a graphical user interface or a Web browserthrough which a user can interact with an implementation of the subjectmatter described in this document, or any combination of one or moresuch back-end, middleware, or front-end components. The components ofthe system can be interconnected by any form or medium of digital datacommunication, e.g., a communication network. Examples of communicationnetworks include a local area network (“LAN”) and a wide area network(“WAN”), an inter-network (e.g., the Internet), and peer-to-peernetworks (e.g., ad hoc peer-to-peer networks).

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other. In someembodiments, a server transmits data (e.g., an HTML page) to a clientdevice (e.g., for purposes of displaying data to and receiving userinput from a user interacting with the client device). Data generated atthe client device (e.g., a result of the user interaction) can bereceived from the client device at the server.

While this document contains many specific implementation details, theseshould not be construed as limitations on the scope of any inventions orof what may be claimed, but rather as descriptions of features specificto particular embodiments of particular inventions. Certain featuresthat are described in this document in the context of separateembodiments can also be implemented in combination in a singleembodiment. Conversely, various features that are described in thecontext of a single embodiment can also be implemented in multipleembodiments separately or in any suitable subcombination. Moreover,although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asubcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the embodiments described above should not be understoodas requiring such separation in all embodiments, and it should beunderstood that the described program components and systems cangenerally be integrated together in a single software product orpackaged into multiple software products.

Thus, particular embodiments of the subject matter have been described.Other embodiments are within the scope of the following claims. In somecases, the actions recited in the claims can be performed in a differentorder and still achieve desirable results. In addition, the processesdepicted in the accompanying figures do not necessarily require theparticular order shown, or sequential order, to achieve desirableresults. In certain implementations, multitasking and parallelprocessing may be advantageous.

What is claimed is:
 1. A method comprising: receiving, by an identitymanagement application running on a user computer, a request toauthenticate a user to access a user application using the usercomputer; determining, by the identity management application running onthe user computer, that a mobile device associated with the user isconnected to the user computer using a short distance wirelessconnection; requesting, by the identity management application runningon the user computer, authentication information for the user from themobile device over the short distance wireless connection; receiving, bythe identity management application running on the user computer, theauthentication information for the user from the mobile device over theshort distance wireless connection; and in response to receiving theauthentication information, authenticating the user to access the userapplication using the user computer.
 2. The method of claim 1, furthercomprising: determining, by the identity management application runningon the user computer, that the mobile device is no longer connected tothe user computer using the short distance wireless connection; and inresponse, revoking the authentication for the user to access the userapplication using the user computer.
 3. The method of claim 1, whereinthe short distance wireless connection is a connection that can only beestablished between devices that are within a relative proximity of eachother.
 4. The method of claim 1, wherein the determining, therequesting, the receiving, and the authenticating occur automatically inresponse to receiving the request to authenticate the user to access theuser application using the user computer.
 5. The method of claim 1,wherein the authentication information can only be used to authenticatethe user once.
 6. The method of claim 1, further comprising: receiving,by the mobile device, the request for authentication information fromthe user computer over the short distance wireless connection; inresponse to the request: providing credentials for the user to anidentity management system; receiving the authentication informationfrom the identity management system in response to providing thecredentials, and providing the authentication information to the usercomputer over the short distance wireless connection.
 7. The method ofclaim 6, further comprising: receiving, by the identity managementsystem, a request to authenticate the user; determining, by the identitymanagement system, that mobile authentication is available for therequest to authenticate the user; and providing a challenge to the usercomputer for credentials from the mobile device.
 8. The method of claim7, wherein authenticating the user to access the user application usingthe user computer comprises: providing the authentication information tothe identity management system in response to the challenge or causingthe authentication information to be provided to the identity managementsystem in response to the challenge.
 9. The method of claim 6, furthercomprising: receiving, by the identity management system, thecredentials from the mobile device; generating, by the identitymanagement system, the authentication information; and transmitting, bythe identity management system, the authentication information to themobile device.
 10. A system comprising: one or more computers; and oneor more storage devices encoded with instructions that when executed bythe one or more computers cause the one or more computers to performoperations comprising: receiving a request to authenticate a user toaccess a user application using a user computer; determining that amobile device associated with the user is connected to the user computerusing a short distance wireless connection; requesting authenticationinformation for the user from the mobile device over the short distancewireless connection; receiving the authentication information for theuser from the mobile device over the short distance wireless connection;and in response to receiving the authentication information,authenticating the user to access the user application using the usercomputer.
 11. The system of claim 10, the operations further comprising:determining that the mobile device is no longer connected to the usercomputer using the short distance wireless connection; and in response,revoking the authentication for the user to access the user applicationusing the user computer.
 12. The system of claim 10, wherein the shortdistance wireless connection is a connection that can only beestablished between devices that are within a relative proximity of eachother.
 13. The system of claim 10, wherein the determining, therequesting, the receiving, and the authenticating occur automatically inresponse to receiving the request to authenticate the user to access theuser application using the user computer.
 14. The system of claim 10,wherein the authentication information can only be used to authenticatethe user once.
 15. The system of claim 10, the operations furthercomprising: receiving, by the mobile device, the request forauthentication information from the user device over the short distancewireless connection; in response to the request: providing credentialsfor the user to an identity management system; receiving theauthentication information from the identity management system inresponse to providing the credentials, and providing the authenticationinformation to the user computer over the short distance wirelessconnection.
 16. One or more non-transitory computer readable mediastoring instructions that when executed by one or more computers causethe one or more computers to perform operations comprising: receiving,by an identity management application running on a user computer, arequest to authenticate a user to access a user application using theuser computer; determining, by the identity management applicationrunning on the user computer, that a mobile device associated with theuser is connected to the user computer using a short distance wirelessconnection; requesting, by the identity management application runningon the user computer, authentication information for the user from themobile device over the short distance wireless connection; receiving, bythe identity management application running on the user computer, theauthentication information for the user from the mobile device over theshort distance wireless connection; and in response to receiving theauthentication information, authenticating the user to access the userapplication using the user computer.
 17. The computer readable medium ofclaim 16, the operations further comprising: determining, by theidentity management application running on the user computer, that themobile device is no longer connected to the user computer using theshort distance wireless connection; and in response, revoking theauthentication for the user to access the user application using theuser computer.
 18. The computer readable medium of claim 16, wherein theshort distance wireless connection is a connection that can only beestablished between devices that are within a relative proximity of eachother.
 19. The computer readable medium of claim 16, wherein thedetermining, the requesting, the receiving, and the authenticating occurautomatically in response to receiving the request to authenticate theuser to access the user application using the user computer.
 20. Thecomputer readable medium of claim 16, wherein the authenticationinformation can only be used to authenticate the user once.